domain login script

Posted on 2004-10-10
Last Modified: 2008-01-09
I am currently publishing an application via terminal services.  My current setup has the user's local account specify to "start the following program at logon", which is really just a small batch file that will open up the correct program for them.  This works perfectly for local accounts, but is not scalable.

I am now adding a domain controller and would like to replicate this setup for domain users.  I greated a logical unit and group for the terminal services users that will use my application.  I then setup a group a group policy with the login batch file in it.  For some reason, however, the script is never executed at login.

How can i do this, and, furthermore, i can i replicate my setup for local users with the domain?

Question by:antstrength
  • 4
  • 4
LVL 20

Expert Comment

ID: 12273231
There are numerous ways you should be able to achieve this.Have a look at these:
HOW TO: Automatically Run Programs When Users Log On to Windows 2000 Terminal Services;en-us;Q321707
How To Assign a Logon Script to a Profile for a Local User in Windows 2000;EN-US;258286

With group policy you need to make sure the relevant users or groups have read and apply permissions for that gpo. You also cannot apply group policy to a group by moving that group to an OU. The users in that group need to be in the OU. You can however filter the application of group policy by using security groups, details contained within this link,
4956 » How do I optimize Group Policy to increase logon performance
Also here's an extremely useful tool for managing and enumerating the results of application of group policy. You'll need either Windows 2003 Server or Windows XP Pro Sp1 client with .net framework installed to run it. It will work within a windows 2000 server domain although is slightly more limited,
Introducing the Group Policy Management Console

Hope that is a helpful start,

Deb :))

Author Comment

ID: 12274368
Thank you Deb for your helpful links on group policy.  I just spent some hours immersing myself in group policy and have had limited success accomplishing my ultimate goal.  Allow me to clarify it.

At the "active directory users and computers" snap-in, i have specified for each user to "start the following program at login".  The program is a small batch file which will open up the program that I am publishing.  When the program is closed, the user is automatically logged out (this is required.)

If a user logs into the terminal server directly, this works perfectly.  If they log into another machine on the domain, the program does not start.  How can i accomplish this?

LVL 20

Expert Comment

ID: 12274857
You could assign this as a login script - so it runs when a user logs on to the domain. Short way to do it:
1) Create a new Organisational Unit in ADUC,
2) Move the users into this new OU
3) Right-click the OU, click properties, and then go to the group policy tab. Click New, to link a new gpo to the the unit, and name it something appropriate.
4) Edit the group policy object - Expand User Configuration, Windows Settings and you'll see scripts (logon/logoff).
5)Double-click logon and it will bring up a new dialog box. Click show files and it will open up the relevant logon script folder for that policy. Paste you script into this folder. It needs to be in here in order to run. Close the folder, then on the scripts dialog box click add, browse and select your script. Then click open, and ok to attach that script as a logon script to that OU.
6) Click apply and then close, so that you come back to the general group policy dialog for that OU (options are new,add,edit,options, delete, properties).
7) Click on properties for that GPO - then click on security. Ensure that the users in this OU have both read and apply group policy permissions on that GPO. You can do this using a security group that the users are a member of.
8) Close, then run the following command from a command prompt -
secedit /refreshpolicy user_policy
This will allow the policy to be replicated. Then test the script by logging in as one of your target users,
How to assign scripts in Windows 2000

Bear in mind that this policy will apply no matter where these users login, unless you specify policy otherwise,

Hope that helps,

Deb :))

Expert Comment

ID: 12280116

Adding to what Deb has mentioned, I'm assuming you are requiring users to ONLY be able to use this particular software from their desktop and not be able to run anything else.  Sort of like dumb terminal.  If that is the case, you might want to consider investing in TS Dumb Terminals.  They run for about $100 which is much cheaper than a full PC.

If purchasing new hardware is not an option for you, then consider locking down the PC to a minimum using Group Policy.  Meaning, you could redirect everyone's desktop to one particular desktop on the network \\server\share\desktop, My documents to \\server\share\mydocs, etc.  Also, remove the Run command and set the Group Policy to "Only Allow running the following programs" and add your programs in there.  That will make the PC pointing to the read only desktop which would have an icon for your batchfile to start the application.  That application would be on the list of allowed programs.... you get the point.

If that route sounds applicable to your need and you would like help with setting up the GPO for that, let me know and I'd be happy to help out.

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Author Comment

ID: 12284344
I have already locked down the desktop very much so.  Thank you for your suggestion.  This does not address my other problem, though.  I only want the user to see the application, and nothing else.  I also want the user to be logged out when the application closes.  This is how it works if the user is logged on locally to the domain controller, and the "start the following program at login" option is specified.  

If i could just get other machines in the domain to also start the program at login, then problem would be solved.

A possible route i have considered is to write a small vb application that will automatically open correct version of the program (every user has his/her own copy), and specifying it to startup instead of the windows GUI.  This is much more work, though, then if there were an easy way to duplicate the domain controller's login behavior on the other domain computers.

LVL 20

Expert Comment

ID: 12293055

Are you using a terminal services or remote desktop connection only by any chance? It would appear so.  What you are looking for I think requires a bit of manipulation of group policy to achieve in the way that you wish as there is no simple setting in GP to mimic the way that the term services/remote desktop "start following program at logon" facility works (I agree that there should be though). I'll post some links - look for the policy scenario "Highly Managed User" and "TaskStation". I know it references 2003 but it does also apply to 2000. Unfortunately it's not super-simple and will require some testing on your part. Note the GPMC is extremely useful anyway but requires Windows 2003 server or Windows XP SP1 client pc with .net framework installed to run it. It will work on 2000 server domains though and is worth a look as a useful tool for managing group policy if you haven't already come across it.

Introducing the Group Policy Management Console

But if ALL you need is to start the program at logon check out the policy under:
User configuration-Administrative Templates-System-Custom User Interface
It is possible to add the path to your app here ie %programfiles%\yourfolder\yourapp.exe

Worth a try if all you need is to start this program at logon.

Group Policy Common Scenarios Using GPMC
Implementing Common Desktop Management Scenarios with the Group Policy Management Console

You may also look into adding the application to the relevant run keys in the clients registry as another option but lets see how this goes. I do have a vb script that will constantly check for an instance of a running application and log off a user when that app stops but haven't posted it yet as I'm not sure it will help. Let me know if you want it.

Hope that helps a bit!

Deb :))

Author Comment

ID: 12294036
Ahh, i can see where you guys are getting confused.  I am not using the "start following program at logon" that is present on the CLIENT.  I am setting it in ADUC for each user.  It's under the "environment" tab, i think.

For deployment, i'm actually using the activeX control (formerly known as TSAC).

That vb script sounds like it could be an incredible help.  Ideally, it would start the right copy of the program for each user (I need to have a distinct copy for each user), and would be set as the custom GUI.  Got source?

LVL 20

Accepted Solution

Debsyl99 earned 500 total points
ID: 12297558

Ok - I'm not usually hard of thinking (well not much) - but I am slightly confused with this.

Let me try my understanding of your setup and correct me very clearly where I am getting it wrong!

""I am currently publishing an application via terminal services"" - This application is therefore ONLY available through login to a terminal server then?

""My current setup has the user's local account specify to "start the following program at logon", which is really just a small batch file that will open up the correct program for them.  This works perfectly for local accounts, but is not scalable.""

Presumably you mean either local accounts on your terminal server as opposed to domain accounts or actually physically logging on locally to the server.

So a user logs on to a pc on the domain and gets the usual desktop etc for that pc that's a member of the domain. Do you want the users when logging on to the domain to go directly to your terminal server application ie bypass their local desktop, or do you want them to just be able to double click a remote desktop connection that will take them into that terminal server application directly once they've logged on and of course off the terminal server once they've closed the app?

It sounds like you want to bypass the desktop maybe - let me know,

The script - sample script off the web actually (sorry lost the link) - you'd need to adapt it, and it needs a .vbs extension - but let me know what you want first,

MsgBox "After you close all occurrences of Notepad, " _
              & "you will be logged out"

' task to check
sTask = "notepad.exe"

' The tree following lines is just for test.
Set oShell = CreateObject("WScript.Shell")
' start task
oShell.Run sTask

Set oWmi = GetObject("winmgmts:")

' Waiting for task to disappear
Do While True
  sWmiq = "select Name from Win32_Process where name='" & sTask & "'"
  Set oQResult = oWmi.Execquery(sWmiq)

  If oQResult.Count = 0 Then
    ' use "." for local computer
    ' call ShutDown sub
    ' Use "Logoff_Force" for a forced logoff
    ShutDown ".", "Logoff"
    Exit Do
  End If
  ' 0.5 seconds pause
  WScript.Sleep 500

Sub ShutDown(sNode, sCmd)

  Const EWX_LOGOFF = 0
  Const EWX_SHUTDOWN = 1
  Const EWX_REBOOT = 2
  Const EWX_FORCE = 4
  Const EWX_POWEROFF = 8

  Set oWMI = GetObject("winmgmts:" _
     & "{impersonationLevel=impersonate,(Shutdown)}!\\" _
     & sNode & "\root\cimv2")

  Set colOperatingSystems = oWMI.ExecQuery _
     ("Select * from Win32_OperatingSystem")
  For Each obj in colOperatingSystems
    Set oOS = obj :  Exit For

  sCmd = LCase(sCmd)

  Select Case sCmd
    Case "logoff"
      iCmd = EWX_LOGOFF
    Case "logoff_force"
    Case "shutdown"
      iCmd = EWX_SHUTDOWN
    Case "shutdown_force"
    Case "reboot"
      iCmd = EWX_REBOOT
    Case "reboot_force"
    Case "poweroff"
      iCmd = EWX_POWEROFF
    Case "poweroff_force"
    Case Else
      ' Default value
      iCmd = EWX_POWEROFF
  End Select

  oOS.Win32shutdown iCmd
End Sub

Deb :))


Author Comment

ID: 12299984
Thank you for all your help.  I will modify that script to do exactly what i need.  All of the users in question are logging onto my terminal servers via their own unmanaged machines.  What i have done in the past is to create regular, local accounts on each of my terminal servers.  I am now moving the terminal servers to a domain, and that is why i am trying to replicate the process of logging in locally via terminal services with a domain.

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Knowledge base software has turned out to be a quite reliable method for storing information, promoting collaborative work and for sharing valuable input and solutions.However, some organizations are trying to develop a knowledge base that works wit…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: (…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now